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Prohibiting RC4 Cipher Suites 


Abstract 
This document requires that Transport Layer Security (TLS) clients 
and servers never negotiate the use of RC4 cipher suites when they 
establish connections. This applies to all TLS versions. This 
document updates RFCs 5246, 4346, and 2246. 

Status of This Memo 


This is an Internet Standards Track document. 


This document is a product of the Internet Engineering Task Force 
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Internet Engineering Steering Group (IESG). Further information on 
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Information about the current status of this document, any errata, 
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1. Introduction 


RC4 is a stream cipher that is described in [SCH]; it is widely 
supported, and often preferred by TLS servers. However, RC4 has long 
been known to have a variety of cryptographic weaknesses, e.g., see 
[PAU], [MAN], and [FLU]. Recent cryptanalysis results [ALF] exploit 
biases in the RC4 keystream to recover repeatedly encrypted 
plaintexts. 


These recent results are on the verge of becoming practically 
exploitable; currently, they require 2*%26 sessions or 13x2%30 
encryptions. As a result, RC4 can no longer be seen as providing a 
sufficient level of security for TLS sessions. 


This document requires that TLS ([RFC5246] [RFC4346] [RFC2246]) 
clients and servers never negotiate the use of RC4 cipher suites. 


1.1. Requirements Language 
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", “SHALL NOT", 
"SHOULD", “SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 
document are to be interpreted as described in [RFC2119]. 


2. Changes to TLS 


Because of the RC4 deficiencies noted in Section 1, the following 
apply: 


o TLS clients MUST NOT include RC4 cipher suites in the ClientHello 
message. 


o TLS servers MUST NOT select an RC4 cipher suite when a TLS client 
sends such a cipher suite in the ClientHello message. 
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o If the TLS client only offers RC4 cipher suites, the TLS server 
MUST terminate the handshake. The TLS server MAY send the 
insufficient_security fatal alert in this case. 


Appendix A lists the RC4 cipher suites defined for TLS. 


3. Security Considerations 


This document helps maintain the security guarantees of the TLS 
protocol by prohibiting the use of the RC4-based cipher suites 
(listed in Appendix A), which do not provide a sufficiently high 
level of security. 
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Appendix A. 


The following cipher suites defined for TLS use RC4: 


(0) 


(0) 


(0) 
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RC4 Cipher Suites 


TLS_RSA_EXPORT_WITH_RC4_40_MD5 


TLS_RSA_WITH_RC4_128_MD5 


TLS_RSA_WITH_RC4_128_SHA 


TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 


TLS_DH_anon_WITH_RC4_128_MD5 


TLS_KRB5_WITH_RC4_128_SHA 


TLS_KRB5_WITH_RC4_128_MD5 


TLS_KRB5_EXPORT_WITH_RC4_40_SHA 


TLS_KRB5_EXPORT_WITH_RC4_40_MD5 


TLS 


TLS 


TLS 


TLS 


TLS 


TLS 


TLS 


TLS 


TLS 


PSK_WITH_RC4_128_SHA 


DHE_PSK_WITH_RC4_128_SHA 


RSA_PSK_WITH_RC4_128_SHA 


ECD 


ECDSA_WITH_RC4_128_SHA 


ECD 


1E_ECDSA_WITH_RC4_128_SHA 


RSA_WITH_RC4_128_SHA 


1E_RSA_WITH_RC4_128_SHA 


ECDE 


anon_WITH_RC4_128 SHA 


ECD 


E_PSK_WITH_RC4_128_SHA 
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